Ask Reggi Your Question Now
Can I skip having an information security program in place in Rhode Island? What are the requirements?
Information Security Program Requirements in Rhode Island
No, you cannot skip having an information security program in place in Rhode Island. According to RIGL 11-49.3-2[a], any municipal agency, state agency, or person who or that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information.
Similarly, 230 RICR 20-60-8.4 requires each licensee to implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
Security Requirements
The Rhode Island Health Information Exchange (HIE) and Regional Health Information Organizations (RHIO) must implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8. The RHIO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures shall be in place at all times and at any location at which the RHIO, its workforce members, or its contractors hold or access confidential health information. Such safeguards and security measures shall comply with State and Federal confidentiality laws and Regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing Regulations (45 C.F.R. Parts 160 through 164), HITECH and the HIPAA Final Omnibus Rule [2.1].
Social Security Number Protection
Rhode Island law prohibits intentional communication or otherwise making available to the general public all or part of an individual’s social security number. It also prohibits printing all or part of an individual’s social security number on any card required for the individual to access products or services provided by the person or entity. Additionally, it requires that a secure connection or encryption be used when transmitting all or part of an individual’s social security number over the Internet. The law also prohibits printing all or part of an individual’s social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed. Social security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security number. A social security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened [4.1].
In summary, it is mandatory to have an information security program in place in Rhode Island. The program should contain reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information, and the purpose for which the information was collected. Breach notification requirements and patient’s rights should also be considered. The Rhode Island Health Information Exchange (HIE) and Regional Health Information Organizations (RHIO) must implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8. Rhode Island law prohibits intentional communication or otherwise making available to the general public all or part of an individual’s social security number.
Source(s):
Jurisdiction
Rhode Island